Password Evaluator
Pwcheck.pl Instructions
Overview
This evaluator was developed at a time when
passwords of a modest length (6 to 10) characters with a lot of
character diversity (the full 95 typeable ASCII character set) were
generally regarded as the best way to make good passwords. The defauls
were set to fail any password that made any of the well known mistakes that
result in easily cracked passwords in such an environment.
When I recalculated the password
cracking time table in 2007 I significantly underestimated the advance
in compututing power. When I recaculated it on May 24, 2012, it was a rude
awakening. When faced with a single computer as suggested by the table, 8
character passwords don't look bad and 10 look secure.
Except that . . .
The whole cracking environment has changed. The cracking tools are fully
network ready (can use CPUs from other computers) and have sophisticated
new developments not even hinted at in 2007. The replacement of single core
with multi core computers has made huge numbers of fast computers available
in poorly defended home and small business environments. Your skilled neighborhood
cracker may have 10 to 1000 or so computers at his disposal. Organized crime
has become part of the cracking environment. Opponents with computing power
equal to a thousand to a million times a fast desktop are now plausible.
A good 8 character password can go in a few minutes to brute force and a
10 character password in less than a month. Now a 12 character password starts to
look like the minimum length that can provide any safety.
Mark
Burnett has pretty much convinced me it's time to seriously consider using
15 character and longer passwords.
I need to upgrade my paswords
on pretty much every system I use. At least none are shared between systems
and all were creatated by my password generator so none are horrible, they
just are not long enough to stand up to today's computers with their ability
to easily crack 8 and 9 character passwords. By the time I'm done, all will be 12
characters or longer, unless I decide to go with all 15 character and
longer passwords.
I've spent a fair amount of time reworking the Password Evaluator. It's new default
minimum length is a 15 character password. But when passwords becomes this long a lot
changes. One thing you still do not want to do is use one long dictionary word as
the basis for your password with a couple character substitions and 2 to 4 characters
at the ends. Other things, things that make it easy to remember and or type, become
OK. Four words? There is no way a cracker can go through all combinations of four
words, especially when arbitrary punctuation, symbols or numbers separate them. Lots
of the same character, alphabetic and keyboard sequences, repeated patterns? All are
pretty much OK. Just DO NOT TELL ANYONE HOW YOU MAKE YOUR PASSWORDS.
The default settings have mostly been changed to allow you to do things in long passwords
that are too dangerous in short ones. If you want to test short passwords, don't just
change the minimum password length. Select the original defaults for 6 character
passwords. You will see that nearly all settings are quite different. If you want to
test strong conventional passwords from 12 to 14 characters, select the 12 character
password settings. Again most settings
are different, between the 6 and 15 character password settings, but closer to the 6.
A 15 character password is almost a million times stronger than a 12. The settings are
obviously user changeable, but I know how the evaluator works, and I've tried to
make settings as relaxed as is appropriate to the password length but will still
mostly warn you when you are doing something that is likely to give a cracker an
exploitable advantage.
Password Evaluator is designed to examine passwords and tentative
passwords to look for dictionary words and patterns that a
password cracking tool might exploit. It looks for reversed,
rotated, keyboard shifted, truncated, dropped letters,
substituted characters and other variations on dictionary words
both singly and in many combinations. It looks for too many of a
single character, keyboard and ASCII sequences, a character
repeated too many times without different intervening characters
and character patterns that repeat. It looks for phone numbers,
dates and social security numbers.
The intent is to find any password that could be found in a
dictionary or electronic word list, as well as any plausible
programmatic variation of such words, including combinations of
two or more words, and combinations of words with patterns that
might be generated from character arrays representing the ASCII
collating sequence or the keys on a standard keyboard.
It's still a really bad idea to have one long word form the basis of
a password. It makes no practical difference how many transformations
you apply or if you add a few characters to the front or back. These
are exactly the kinds of changes that cracking tools were desinged to
find. Today a desktop computer can test an English unabridged dictionary
with a million variations per word in under 3 hours. Two words separated by a
character are only a little better. A few more non letter characters
in the front, middle and back will certainly help. What's interesting
is that as you go to three words, the words no longer help the
cracker. The number of combintations begins to work against the
cracker, especially if one of the words is a medium length word
(7 - 9 characters). Of course you need to avoid really stupid combinations like
iloveyou, which is technically 3 words but only 8 letters and
just misses making the top 100 most used passwords. Probably every
variation you could think of trying to make to those 3 words already
has been programmed by many crackers. Four wourds makes the numbers
of combinations astronomical. If adding some non letters between the
words pushes the length over 15, and you've avoided any well known
phrase, you are getting into a seriously strong password.
Any pattern that can be described, or any word that can
be varied in a manner that can be described, and any combination
of these, are more likely to produce passwords in actual use than
a brute force method. Thus, password cracking tools are likely
to acquire the capabilities to manufacture large subsets of what
have traditionally been thought of as good passwords.
Password evaluator in a web form is purely advisory. Users are
free to disregard errors as well as warnings, though password
evaluator will not display length and strength for any password
with one or more "error" conditions. If a user believes the
minimum password requirements are too stringent, there are
numerous configuration options that will allow them to be
relaxed. Shortening the minumum password length, lengthening the
minimum or maximum dictionary word lengths, increasing the
maximum word length ratio, increasing the allowed number of any
maximum character or pattern type, not checking for specific
password types, and not checking for words across non letters, will
all loosen conditions that generate errors.
With the original settings for 6 character passwords, a password
with a length over 10, and a strength over 7 (no errors),
should not be easily cracked with today's (2012) cracking
tools using default rules and an unabridged dictionary available
online. Note the caveats: default rules and online dictionaries.
Serious crackers won't be using default rules and dictionaries
sold with cracking tools are likely more complete than the public
domain unabridged dictionaries that are readily available and
very old. This is the minimum for a "strong" password.
The last tables I calculated are well over a year old (another doubling
of computer speeds). The tables are based on assumptions and
estimates that cannot be verified. 12 characters with a strength
of 10 is much safer. I'm seriously thinking about 14 or 15
character passwords for all new passwords. 15 characters or more
should allow for more relaxed rules, but I'm old school and find
it hard to create passwors that do not use all character types:
upper and lower case, digits, and symbols or punctuation.
Password evaluator includes a significant list of common
names as well as lists of common passwords.
It does not include words drawn from lists
related to popular culture or other specialty areas. Thus it will
likely miss passwords based on sports, contemporary musical groups
and movies, slang, brand names, and other terms in common use today,
but not readily available in existing online word lists.
It would be very useful to have all of the following for the past
50 to 100 years: singers and bands that released commercial recordings;
movie and TV titles plus all actors; makes and models of cars;
brand names and products sold in supermarkets, department stores and
drugstores; every player from major league sports and all olympic medalists
and podium finishers in international sports. I've probably missed
several lists. Somebody has most of these or at least large parts
of them, but no one is giving them away free online, that I've seen.
Comprehensive lists of these and other popular culture items would
likely crack many of the passords that have so far remained uncracked.
We know people prefer to use the names of people and things that
they relate to as the basis for most known passwords. To the best
of my knowledge none of these lists are readily available in anything
close to complete lists. It only makes sense that a large portion
of uncracked passwords are the names of people and things that
simply do not appear in an unabridged dictionary or existing
cracking dictionaries. A small percent of users do use strong
passwords so these also account for a portion of those passwords
that remain uncracked.
Strength
Loosening the conditions that cause errors to be reported will
not affect the strength calculation. This is based on password
length and character diversity.
When I wrote the evaluator more than a decade ago I thought a strength
of 2 was the beginning of reasonable resistance to brute force attacks.
Today (2012) I'd say anything under 7 should be for unimportant throwaway
accounts. The strength ratings are
intended solely as relative strength ratings. From 1 and
higher, each increase represents a ten
times greater resistance to brute force attacks than the
preceding. There are no fractional ratings so there is no 5.99
or 11.01. A 9 is more than 10 times stronger than a 7 and less
than 1000 times stronger; on average a 9 should be about 100
times stronger than a 7. This arbitrary scale seems appropriate,
as the number of CPU cycles necessary to crack a password with
brute force, jumps significantly with each additional character and
each additional character type.
It's worth noting that a "good" 8 character password is likely to get
a strength of 3. Against a single fast desktop some may consider this adequate.
It takes almost 25 days to do all 8 charcter passwords. In practice
2 weeks is pretty likely for any specific password. If a cracker was
using his own PC to do this, that would require some patience. If
he had a handfull of compromised computers working on this, it's quite
different. He'd start them running and check them periodically. By the
end of the first week he'd have all dictionary words and pretty much every
concievable transformation, plus all 8 character passwords. If the
opponents targeting a system where you have a password are Russian mafia,
who may have a fast network of computers (including many compromised systems),
7 hours does not look very good.
When talking about length and strength, nearly everyone considers four
character groups: lower case letter, upper case letters, digits and
symbols. To calculate password strength, I've taken a somewhat different
approach. I've counted upper and and lower case consonants and vowels
separately. I do this because nearly all password cracking tools recognize
these as different character groups and there is nothing to stop a cracker
from focusing on vowels or consonants. Any password that has either case
consonant and the other case vowel gets the full 52 character count.
Mixed case vowels are counted as twice the 10 characters these represent;
it's a set of characters no one is likely to look for. The ten digits
do count for 10 and are vastly more likely to be looked for than mixed
case vowels with no consonants. It makes no sense because there is no
evidence to suggest anyone makes passwords with only vowels. Mixed
case consonants, on the other hand get no bump; they already count
for 42 which is not far from 52. There is good reason to look for
consonants only; it's well known this is one of the ways some people
make passwords. I'd guess anyone reading this can tell what the
following words are: psswrd, cnt, cnsnnt, dctnry. I'd give 52 for
mixed vowels only before giving 52 for mixed case consonants only.
If there are only a few letters in a password, mixed case consonants
with either case vowel is probably marginally stronger than any combination
except both mixed case vowels and consonants.
There is no one or right way to calculate password strength because every
good password cracker is likely to take a somewhat different approach.
Each different approach will crack different passwords at different speeds
and most different approach will likely miss some different passwords.
To give an honest strength rating to passwords, I have to apply my
knowledge of cracking techniques to to the likelihood of what crackers
will do first and are most likely to do or not do.
For this reason I also divide the symbols into three groups:
the top of the keyboard (!@#$%^&-_=+);
punctuation ( ;:'",./?) which includes the space;
programming symbols (`~()[]{}<>|).
Any password using two symbols from any two groups gets credit for all
32 symbols. When explaining good passwords to any one without a good
technical background, it's hard enough to explain the need for symbols
in passwords, let alone why some symbols may be better or worse than
other. You could argue all day about the groups I chose and which
symobls I put in each group. All I can say is that I made what I
believe to be the best selection.
The fact is that not all symbols are equal when it comes to cracking passwords
and I believe that good crackers prioritize this group more than any other,
and may even completely exclude characters from it. How often does anyone
use the tilde ("~")? Not only is it rarely used, it's shifted and an extreme
reach for the small finger of most peoples weaker hand. It's hard to type. It's
also the last last character in the ASCII collating sequence after {, |, }.
These are also shifted and the last two, the pipe and right curly brace are
pretty good stretches for the right little finger. If I were to use a brute
force attack, these four would be the last characters I'd use; I might even
consider not using them. Not one of them ever appears in a list of the
10,000 most common passwords. That makes these four characters great
characters with which to start a strong password. Actually doing anything
that 99% of computer users don't do with passwords, will make for stonger
passwords; they may not be good passwords for you, if you have trouble typing
or remembering them.
Except for systems that require an email address as an account name
and the computers I own where I use the same user name, all
of my user or account names and all my passwords are different. All
of my passwords have been generated by my password generator using non default
patterns which I change from time to time, and were believed to be
uncrackable at the time I selected them.
I don't believe in routine or frequent changes of uncrackable passwords.
Passwords should be changed if there is any reason to believe either
the system they are on or the account has been compromised.
In 2012 I got a rude surprise when I did some research into current password
crackers and recalculated my
password cracking time
tables. I did not feel a sense of urgency; all my passwords
were strong by normal standards. But I knew most of my passwords needed to
be upgraded. I've been doing so since then and all changed passwords were
at least 12 characters with a strength rating of at least 10. At the end
of 2013 I'm quite seriously thinking about a minimum length of 14 and
strength of 15 or higher.
15 is the default minimum length in the
password evaluator set in 2012. Associated with the length increase
are greatly relaxed standards for repeated characters and various
common character sequences (keyboard, consecutive letters and or
numbers, etc.). NEVER shorten the
minimum password length with the new defaults; ALWAYS select the 6 or
12 character password settings with the links provided.
Shortening the minimum password length, while
leaving the other defaults from the mimimum 15 character length, renders
the Password Evaluator unable to find any dictionary word shorter
than 8 characters, making the results useless with ordinary length
passwords. It also cannot find dangerous keyboard and ASCII sequences,
repeated characters, or repeated character groups.
I suggest everyone consider the minimum lengths and strengths I've
discussed here, at least for any accounts that contain
sensitive information or are important like bank and credit card
web sites.
Check Passwords for Systems Using LM Hashes (Pre Vista Windows and Other Systems)
If you are using Windows Vista or later you do not need to check this
option, UNLESS you have deliberately enabled LM (LAN manager) hashes.
If you are using any version of Windows prior to Vista you DO need to
check this option, UNLESS the Windows version is 2000 SP 2 or later, and
you have followed one of the procedures descirbed on this
Microsoft Support
page to disable LM hashes. If for some reason you are still using any
version of Windows older than 2000 SP 2, you need to check this option.
ALSO, some systems that are not Windows, including Macs and Unix
variants with SAMBA installed, have used LM hashes to take advantage
of shared Windows printers and folders, or to make them available.
Any system still using LM hashes needs to check this option.
If you use Windows you should read
this page to understand the
weakness of Windows password storage and why you need passwords 15
characters or longer that have never been seen by you or anyone else
before. You may also create uncrackable passwords by using an
unprintable character in your password. These may be entered in
various ways on different systems.
See how.
Because of the unusual way in which LM hashes are created,
most of the usual recommendations for forming good
passwords don't apply. If this option is checked, Password
Evaluator, will adjust to LM hash peculiarities. First
the password is split into two 7 character pieces which are
checked separately. Case is ignored and maximum dictionary word
length is set to 2.
With 7 character passwords, even a three character word at the
begining of a password will greatly simplify a cracking tool's task.
Begining an LM hash with a three character word, effectively
reduces the problem to a 4 character brute force attack which
many cracking tools will handle easily.
The highest possible LM hash strength is 4 and this will
include at least one
Alt code
character. It will also include two symbols or punctuation from
different parts of the keyboard and a consonant, vowel, and digit.
NOTE: Entering Alt code characters will create
passwords that are not crackable and much stronger than the listed
strength. Because no cracking tool uses these characters, and there
are so many of them, these passwords will never be cracked until
the cracking tools and assumptions are changed.
The total strength of an LM hash password will be the strength of
the stronger half.
For most purposes the other piece can be ignored; it's not needed
and does not matter even it contains errors. Two pieces rated
4 will be somewhat stronger than one piece but this is not
significant on an exponential scale.
Minumum Password Length
Sets the minumum number of characters allowed in a password. Any
password less than this length will generate an error message.
Minumum Dictionary Word Length
Sets the minimum number of characters that Password Evaluator
treats as a word. When checking pure alphabetic passwords, it
may be advantageous to set this to 4 or higher. Password evaluator
treats any character sequence that is not fully contained within
another as a word, including reversed words. Any pronounceable
letter sequence has a good chance of containing multiple words
though there may not be any practical programmatic way to put
these together. For example, "quirehc" contains quire and
reversed che. The longer a pronounceable alphabetic sequence
becomes, the more likely there will be multiple words contained
within it. It's also less likely there will be a
general description of the method by which the password
was created, i.e., an algorithm or specific set of steps to
create similar passwords. If the rule set requires specific
knowledge of the password, it is meaningless, as the sole
purpose of cracking is to find unknown passwords that cannot
be predicted from the hashes used to store them. Without such
an algorithm, the cracking tools cannot program
a method for creating such a password.
Raising the minumum word length to 4 significantly reduces the number
of run together and overlapping words in long alpha only sequences.
For passwords less than 11 characters it is a bad idea to
increase the minimum over three as
this prevents Password Evaluator from catching fairly obvious
passwords such as "dog8cat". Not only is it "clever" but it consists of
two short, very common words,
separated by a non letter. This may be the simplest and most
productive custom dictionary to program after the standard
dictionary transformations. Without a large supply of uncracked passwords
to test this on, there is no way to know.
With long passwords things are very different. The number of permutations
of four words is astronomical. There is no way a cracker can reasonably
put them all together. Even trying to focus on only the most common words results
in huge lists. A password which happens to have one each, 3, 4, 5 and 6
character words is already 18 characters. Add digits and or
punctuation characters to separate them and you are at 21. Brute force has
no chance and it is difficult if not impossible to think of a programatic
way to attack such a password.
Just using the very small, about 45,000 words, Linux dictionary
there are 3^13124 three word arrangements and 4^13124 four word
arrangements arrangements of 3, 4, 5, and 6 character words. How big
are these? Try 5.02e+2946 and 2.72e+7901 respectively. By comparison
there are only 5.4e+23 twelve character passwords from the
95 character keyboard. The English language does not have the
vocabulary to easily describe this difference in scale. The best I
can come up with it's a trillion times a trillion more than 656
times (or > 656 trillions in a row). There is an simpler way.
The number of 4 word passwords is more than 7,867 orders
magnitude larger than the number of 12 character passwords, but
this is rather incomprehensible.
If they had smooth surfaces and the Earth and the Sun were exactly
93 million miles apart and this distance represented 2.72e+7901,
or the size of the
four word password space, how far into the atmosphere would 12
character passwords get you? The answer is they don't. If you
convert miles into microns or micrometers (or 1/1000 of a
millimeter) you get a distance of 1.5e+17 microns between the Earth
and the Sun. When dealing with huge or tiny numbers and you don't
care about precision, you can discard the leading numbers and
multiply or divide by adding or subtracting exponents. We already
determined the comparative difference is more than 7,867 orders of
magnitude. If we divide the Earth to Sun distance in microns by
this we find the distance the 12 letter passwords gets us is
about 1e-7850 microns. That is 0.1 with 7849 zeros between the
decimal point and the "1". I don't think there is any unit of
measurment small enough to translate this into, because by
comparison the smallest known sub atomic particles are
unimaginably large. At this scale the concept of surface
is meaningless. There is nothing to get off of; we go
nowhere.
There are huge number (2.1e+3718) of 24 character passwords. To make these
easier to read and probably type, we could always put the easy to type
semi-colon (because it's the only punctuation character directly under
a home key
finger) between each word. Or on most modern systems we could simply use
a space. Always doing either does not make more passwords but it does
lengthen all by three characters bringing the all 3 letter word pass
phrases up to 15 characters. There is no way a cracker can deal with
this password space. Unless the user does something stupid, like pick
a series of words that are a common phrase or part of a common phrase
these pass phrases are simply not crackable, and probably never will be.
The new password defaults are set up to test passwords 15 characters and
up. To test shorter passwords DO NOT just change the minimum password
length. Instead click on
originial defaults for 6 to 12 character passwords or use
suggested defaults for 12 to 14 character passwords.
The new default settings will not work with shorter passwords. In particular
no dictionary words can be found.
This is the primary benefit to using the evaluator and it is simply
a waste of time to test short passwords with the default settings.
Also, the settings that made sense with short passwords will not
work with long passwords that deliberately contain multiple words, or
patterns, character sequences, or repetetive characters to make them
easy to remember.
Setting the Minimum Dictionary Word Length over the longest word in a
password disables dictionary checking for that password. Setting the
Minimum Dictionary Word Length above 10 disables dictionary checking for
most practical purposes. Setting it to 99 or any length longer than any
password you plan to enter disables all dictionary testing. If this
is done, none of the maximum word related settings need to be changed.
Disabling dictionary checking largely defeats the purpose of using the
Password Evaluator.
Maximum Dictionary Word Length
Sets an upper length limit on the longest dictionary word allowed
in any password. Any dictionary word that is longer than this
length, after non letters have been removed, will trigger an
error. If the word is truncated, the length of the word after it
is completed to match a dictionary word is used. Generally the
maximum word length ratio is more important. The maximum word length can be used to
set an absolute limit, but why? A word that is 6 characters in a 10
character password is more useful to a cracker than an 18 character word in
a 30 character password. There is no way to try the word separately.
Which of the 8 to 9 hundred 18 character words are you using? While
there are about 20 times more 6 character words, the purmutations of 12 spaces
with 24 arrangmets and 95 characters make the 4 spaces, with 8
arrangements and 95 characters look infintesimal (like more than
10^100 times the number of permuctations of the end characters).
All this assumes you know you are dealing with a password exactly
30 characters long containing one word exactly 18 characters long.
If the source of the intelligence is reliable, how could it know the
exact password length and word length, but have no clue as to the
location? The longer the password, the less importat one long word
of the same ratio between word and password length, becomes.
Maximum Dictionary Words
Limits the maximum number of dictionary words allowed in a password.
The default is 1. The allowed
word or words must be no longer than the maximum dictionary word
length or the maximum length compared to the maximum dictionary
word ratio. This allows dictionary words or transformations of
them that are a limited part of a password. It's very hard to
create long pronounceable alphabetic sequences without getting
any short words or any possible variation of a word in them.
Setting maximum dictionary words to 2 will prevent Password
Evaluator from finding relatively obvious passwords like "cat8rat"
which it was expressly designed for.
As password length increases to the point 3 or more short words will
fit, plus some additional characters, then it starts to make sense
to allow multiple words. Passwords long enoungh to hold 4 or more
words and a few additional characters appear to be uncrackable
provided well known pharases and similar mistakes are not made.
The number of possible 4 word passwords is so much larger than
strong 12 character passwords that it's difficult to find analogies
to show the difference.
Setting this to 0 will prevent any word or identified
transformation of a word from being accepted in any password. A
word is any character sequence equal to or longer than the
minimum dictionary word length that appears in the dictionary
used for checking. Straight lookups and reversed word lookups
are always performed. Some of the tests cannot be performed or
make no sense on short character strings so the Password
Evaluator contains some hard coded lower limits related to word
length.
Maximum Word Length Ratio
Maximum word length ratio may be the most important single
setting. The default is .66 for passwords of all lengths.
It's the only setting that is the same for all password lengths. This
results in the rejection of any password where a dictionary word
or variation on a dictionary word is two thirds or more of the
total length. The setting .67 is much weaker. for short passwords,
and I personally would be uncomfortable for settings over .7 for
even very long passwords. The default .66
limits 6 character passwords to one three letter word, 7
character passwords to a four letter word and 8 and 9 character
passwords to five character words. Six, seven and eight
character passwords must have at least three characters that are
not part of a dictionary word. Nine character passwords need at
least four non word characters. .66 will allow cat824 or batxzt
but not boat11. .67 would allow boat11. There is no question
that cat824 is a weak password but that is reflected by its 0
strength rating.
Having to find three non word characters adds a significant
computational overhead. If only letters are being examined the
work load is increased by a factor of 17,565. If all 95
printable characters are being checked, the factor is 857,375.
Depending on assumptions regarding character sets and word
lengths used "cat824" is somewhat to many times stronger than
"cat8rat". "cat8rat" is very much at the easy end of passwords
made from two short words separated by a non letter based both on
word frequency and password length.
If the intent is to use only strong passwords, then the minimum length
should probably be set to 12 and only passwords rated around 12 or higher
considered.If you have obtained a strength reading for a very long
password by disabling several to all of the tests, the strength rating you
have obtained is highly suspect. The full lowercase alphabet,
i.e., a 26 character password, will
give you a strength reading of 26. Don't believe it. As more people begin
to use long passwords, the crackers will start to add the trivial variations
of these to their dictionaries. On the other hand, if you use the full
alphabet, but upper case a few arbirary letters or switch the order of a
couple character pairs or substitute a couple lookalike symbols, it very
quickly becomes a very different game, with the advatage having swung
back to you, at least for about the next decade or so. If you did all
three, it is very difficult to see how the password could be cracked
for the foreseeable future.
Maximum Character Occurrences
Sets an upper limit on how many times a single character can appear
in a password. If the number is 1 or more it's treated as a count of
how many times any single character may appear in a password. If it's
less than 1, then the character cannot comprise a larger portion of
the password than the percent represented by the entered value.
The default is 0.8 for 15 character passwords
which allows any single character to be up to but no more than 80% of the
characters in a password. 0.4 is suggested for 6 characher passwords,
which is 2 in a six character password, 3 in seven, eight and nine
character passwords and 4 in ten, and eleven character passwords.
0.5 is suggested for 12 to 14 character passwords. A 0 disables this check.
Minimum Duplicate or Mirrorred Sequence Length
Most sequences discussed here are sequences from the ASCII collating
sequence or the keyboard. Here we are talking about any sequence of
"unrelated" letters that are duplicated or mirrored. Most often it
means a word or part of a word, though it could be aything. This can
also be less than 1, in which case it is the integer portion, obtained by
multiplying the password length by this number. The default for 15
character passwords is 0.6, and since you cannot duplicate something
in a space that is more than half the length of the space, it is
disregarded in 15 character passwords. 3 characters are suggested
for 6 to 11 character passwords and 4 characters for 12 to 14 character
passwords. Any value greater than 0.5 and less than 1 disables this check.
Maximum Sequence Characters
Sets an upper limit on how many consecutive characters from the ASCII
collating series or keyboard sequences are allowed.
Sequences are in either direction so "345" is
a sequence as is "cba". Keyboard sequences are physical keys regardless of shift
state so "6&8" is a sequence as is ">,M" and "*&6". The maximum
sequence characters also applies to alternate character sequences
so that "*j1a2c3K?" would be disallowed as would "1b^o5a$T!" ("^5$"
is a reverse alternate character keyboard sequence). This can
also be less than 1, in which case it is the integer portion, obtained by
multiplying the password length by this number.
The default is 0.5 for 15 character passwords which is 7 characters for 15 character
passwords and 8 characters for 16 character passwords. 2 character sequences are
suggested for 6 to 12 character passwords and 3 character sequences for 12 to 14
character passwords. A 0 disables this check.
Maximum Repeat Characters
Sets an upper limit as to how many times the same character may
repeat without a different intervening character. A 1
disallows repeated characters. A 0 has the effect of disabling
repeat checking.
Maximum 2 Character Pattern Repeats
Sets an upper limit on how many times the same two consecutive
characters can appear in a password; this applies to any and all
characters regardless of where they appear in the ASCII collating
sequence or the keyboard. I this were set to 2 "d*aP@d*1?" would be
allowed but not "d*Ad*@1d*?".
Do Not Allow All Digits
If checked, disallows passwords consisting solely of numbers. There
are less digits than any other character type making the number of
passwords particularly small if all digit passwords are allowed. The
only character type that might be considered smaller than numbers is
single case vowels but usually all 26 of the same case letter are
treated as a group. The default is to not allow all digit passwords.
Maximum Digit Ratio for Full Strength Estimate
The standard strength calculation is a function of how long the
password is and the diversity of character types. If the number
of digits in a password exceed the ratio specified by maximum
digit ratio for full strength estimate, the strength
calculation may be adjusted downward. The default is .7. The
reasoning is that if any standard numeric format is used, the
separators are mostly noise and contribute nothing to the
strength of the password. If the password contains any letters,
the normal strength calculation is used as no know standard
numeric formats contain letters.
If the password digit ratio exceeds the maximum and contains no
letters but does contain any of the common numeric separators,
"/", "-", "(" or ")", then only the digits are used in
calculating the password strength. This pretty much means the
password strength will be zero as it takes 13 digits to get a
strength of 1. The presence of the these characters, mostly
digits and no letters is very suggestive of a standard numeric
format such as "(222) 333-4444" for a phone number. This pattern
is 14 characters long but all likely variations can be gotten
just by changing the 10 digits. Further only about a quarter of
the area codes are assigned. Finally, using just local area codes
(for the target computer) is likely to be much more productive
than using all valid area codes.
Keep in mind, the goal of the cracker is to maximize the use of
available CPU cycles by trying potential passwords that have a
significantly better chance of being used than any random
character sequence that might be generated. So the cracker can
likely improve efficiency further by using only assigned local
exchanges. Local phone numbers might not produce a single
password but they have a much better chance than any comparable
length random sequence, regardless of whether you count 10 or 14
characters. Local phone number are much more likely to be used
than any possible long distance phone number. Standard phone
number formatting, (222) 333-4444 or 222-333-4444, is more likely
to be used than non standard, e.g. 222x333*4444.
If the password digit ratio exceeds the maximum and contains
neither letters or any of the common numeric separators, the
strength is reduced by 1 from what it would otherwise be.
Maximum Vowels Only and Maximum Consonants Only
One common way to form passwords is to drop the consonants or
especially the vowels from a word, e.g. psswrd. The maximum
vowels only and maximum consonants only checks prevent this with
a very low CPU and IO overhead. The default settings are both 2.
Limiting the kinds of character variation in a password is not
good so it's useful to disallow consonant or vowel heavy
passwords even if they are not derived from dictionary words.
These should not be decreased as that would discourage the use of
a few letters in a password with many digits, symbols or
punctuation. Setting these to three should have no adverse
consequences. Setting these higher will start to allow modified
dictionary words that form a significant part of the password.
Do Not Allow Dates, Phone or Social Security Numbers
By default all of these are checked and prevent passwords that
consist entirely or almost entirely of dates, phone numbers or
social security numbers. Common formats and obvious variations
are checked. Only passwords that consist entirely of these or
these plus white space are rejected. Even obvious dates, phone
numbers and social security numbers are allowed if the password
contains other non white space characters.
Check Words Across Non Letters
When check words across non letters is checked, the default,
Password Evaluator will remove all non alpha characters and
check the remaining letter only strings to see if they are
words or contain words. If this is not checked, only
contiguous sequences of letters are checked for words. It is
strongly recommended that this be left checked as character
substitiution in words cannot be checked if this is unchecked.
Additional Minimum Word Length
Additional Minimum Word Length when checking words across non
letters adds the length specified here to the minimum dictionary
word length to determine what to count as a word and what not.
The intention is to find dictionary words that have been hidden
by inserting non letters between two or more letters. It is not
to find small words that happen to get created when separate
letter sequences that are not words and not contiguous are put
together. Increasing the minumum length by 2, the default,
greatly reduces the number of created words that may occur while
still catching small separate words that have been combined with
non letters.
Unchecking check words across non letters will allow passwords
like ta2b4l6e. Using all three through nine character words from
the 45,000 Linux word list combined with every possible two through
5 character even and odd and even and odd reversed digit sequence
to create every possible password up to 11 characters results in
only slightly over 6 million passwords. This is a tiny custom
dictionary compared to others that have been
discussed. Though there are
obviously an enormous number of ways to break up words with non
letters, the human tendency is to take the easy way. Checking
words across non letters is the only practical way to eliminate
the simple ways. No password made from a dictionary word
variation is good, even if it's not obviously bad, and they
should not be allowed.
Maximum Suffix Word Length Ratio
This prevents tacking an "ed" or "ing" suffix onto a short
word that normally does not have such a suffix. As long as
the ratio of the password, stripped of any additional characters
attached to the front, divided by the total length of the password,
i.e., with the extra front characters still on, is greater
than the ratio set here, an error condition results. It is
very tricky to add letters to the front of a short word followed
by "ed" or "ing" that does not keep createing new words,
when flipping, rotating, shifting, etc are added into the mix.
The only way to easily add characters to the front are to use
digits, symbols and punctuation, with perhaps a letter in the
mix.
Until the less prefix divided by the full length ratio drops
below the maximum suffix word length ratio,
the suffix length is counted as part of the word length.
Normally only the part of the word that is the dictionary word is
counted. Without this, a non word could be made by appending "ing"
to a short word that does not have such a suffix. Only the short
word length would count and thus likely be less than the maximum
dictionary word length or ratio. For example, unless the "ing" in
"adaming" which is not a dictionary word, is counted as part of
the word length, "adaming" will be accepted as a password even
though it is one of the most trivial dictionary word variations
and one which the cracking tools easily exploit.
With the default setting of .75, at least three characters that
do not create a new word must be prepended or mixed into the
first part of "adaming" for it to be accepted. Raising this to
.8 allows only two additional characters to make an acceptable
password. If you care about strong passwords and presumably you
would not be using Password Evaluator unless you do, it's best
not to raise this. Values entered here less than the
maximum word length ratio will have no effect.
Top of Page -
Site Map
This page and the information on it my not be published or distributed under the
terms of the GeodSoft Publication License.
Copyright © 2000 - 2014 George Shaffer. All rights reserved.
|